Home Node B (HNB) and/or Home eNodeB (HeNB) are apparatus of cellular access points that connect to the mobile operator's core network (CN) by broadband Internet connection. HNB and HeNB are abbreviated as H(e)NB thereinafter. Local Internet Protocol Access (LIPA) is the apparatus of telecommunications service which utilizes the features of H(e)NB and allows mobile user equipments (UEs) to connect to and to access data in the local home IP network of the UE without traversing through CN. LIPA may utilize mobile user equipments (UEs) such as mobile devices and mobile phones, through the LIPA and home IP devices, such as personal computers, printers, TVs, multimedia servers, etc., to communicate with applications for obtaining application services such as file relocation, device sharing, video streaming, and remote control, etc., For telecom operators, LIPA presents the opportunities for creating new services and generating additional profits, without consuming transmission resources of the core network. LIPA also benefits users in high-speed transmission without being limited by the transmission resources of the core network.
There are many related literatures and technologies for cross-network authentication. For example, a literature for cross-network authentication discloses the use of third-party secure management network (SMN) to perform security management among different networks. Network and network entity (NE) first perform registration to SMN and establish security association; if no security associated with the SMN, a gateway that security associated with SMN is required to intercommunicate with the NE and the SMN.
In another revealed literature, in cross-network authentication, the visiting network and the home network must establish trust relationships before providing cross-network communication services to UE. The functions in the cross-network authentication procedure disclosed by this referenced literature include the UE requests authentication to the visiting network, the visiting network requests the home network to authenticate the UE, the home network requests authentication to a central server with information of visiting network and transmits back the authentication results to the visiting network, and the UE determines whether to trust the dynamic host configuration protocol (DHCP) address provided by the visiting network according to the information provided by the home network.
Another literature discloses that in the process of cross-network connections, access, authorization, and accounting (AAA) proxy servers may use the key generated by the AAA server to generate multiple keys for different networks. Each AAA proxy server is responsible for the storage and the mapping of the corresponding temporary UE ID and keys, as well as the mapping of keys and the corresponding networks, to enhance the efficiency of authentication during handover. Besides, the UE may avoid transmitting permanent ID across the network.
Yet another literature discloses that a plurality of network nodes obtain and keep the authentication information of each other as common security information before providing cross-network communications services. Based on the common security information the plurality of network nodes may obtain a list of mutual trust alliance and the authentication information of the mutual trust alliance by one or more third-party authentication centers. Another revealed literature discloses that a plurality of applications perform authentication to the server through a same gateway (GW), the GW wherein retrieves the authentication information of all applications from an authentication center in one time. The GW is able to authenticate every individual application which the authentication information is kept in the GW, and every application may perform network transmission through the GW.
FIG. 1 illustrates an existing Third Generation Partnership Procedure (3GPP) compatible network architecture apparatus which involves H(e)NB in the access networks. Wherein Local Gateway (LGW) is a logical functional unit of H(e)NB. With a part of the functions of the Gateway General Packet Radio Service (GPRS) Support Node (GPRS Support Node is abbreviated as GGSN thereinafter), LGW is responsible for transmitting the information received from the UE to home devices through the IP network, as well as transmitting the information received from the home device to the UE through the telecommunications network. There is a user plane connection between LGW and H(e)NB, and the interface between LGW and the serving GPRS Support Node is Gn/S5 interface. Serving GPRS Support Node is abbreviated as SGSN thereinafter.
A LGW and an H(e)NB may be composed as a logical network entity that is referred as a LIPA network entity thereinafter. The method and the apparatus of forming a LIPA network entity includes implementing LGW and H(e)NB as an individual network entity, or associating LGW and H(e)NB as a logical network entity by way of security association. In FIG. 1, the network access architecture of H(e)NB defined by 3GPP does not support functions for global mobile access. In other words, UE may only access its home network under the service coverage of its home H(e)NB (HHNB). Any one of other H(e)NBs, naming a visiting H(e)NB, is abbreviated as VHNB thereinafter.
In order to enable the accessibility for UE to access the HHNB when the UE is served by a VHNB and/or by macro-cell without modifying the network entities and control messages of CN, another implementation of LIPA network is shown in FIG. 2. FIG. 2 illustrates an exemplary access network architecture with modified H(e)NB. In FIG. 2, LGW not only equipped with a portion of GGSN functionality but additionally also has a part of SGSN functionality. Accordingly a control plane interface is needed between HNB and LGW, and Gn/S5 interface is required between different LGW. Also in this architecture, all control messages will go through LGW. An LGW will act as a SGSN or GGSN when the LGW is capable of handling a received control message; otherwise, the LGW routes the received control message to CN. Consequently, Iuh interface and Gn/S5 interface are needed in between of LGW and CN. When a LGW is not capable to handle the control message received from HNB via the Iuh interface, the LGW routes the received control message to CN through the Iuh interface between the LGW and CN; when a LGW is not capable to handle the control message received from other LGW via the Gn/S5 interface, the LGW routes the received control message to CN through the Gn/S5 interface.
Every LIPA network entity accomplishes the authentication procedure to CN to achieve a mutual trust relationship of the LIPA network entity and CN before the LIPA network entity joining a network to provide communication service. When a UE enters a LIPA network service area, it is authenticated to CN via the LIPA entity of the LIPA network, to obtain the services provided by the LIPA network and the LIPA network entity. The UE attach procedure shown in FIG. 3 illustrates the procedure that a UE successfully authenticates to CN, e.g., SGSN and/or Home Location Register (HLR), through a LIPA network.
In the above mentioned network architecture and other existing 3GPP architecture, it is needed to ensure the mutual trust relationship among the UE, CN, the visiting LIPA network entity, and the home LIPA network entity, and to verify that the UE is authorized to access the home LIPA network before initiating LIPA service.